int main()
{
char buff[15] = {0}; /*zero initialize all elements*/
printf("enter your name: ");
scanf(buff, "%s"); /*dangerous, length unchecked*/
}
The program reads a string from the standard input (the keyboard) but
doesn't check the string's length. If the string has more than 14
characters, then it causes a buffer overflow as scanf() tries to write
the remaining characters past buff's end (remember that one character
is always reserved for a null terminator). The result is most likely a
segmentation fault that crashes the program. In certain conditions, the
users will receive a shell's prompt after the crash. Even if the shell
has restricted privileges, they can examine the values of environment
variables, list the current directory files or detect the network with
the ping command.
A more dangerous situation evolves when the program doesn't crash due
to a buffer overflow though. An expert familiar the system's internals
can craft a string that is just long enough to overwrite the program's
IP (instruction pointer, a pointer to the program's next instruction).
If the last 4 bytes of such a string contain a valid memory address,
then the program's flow can be altered. Instead of executing the next
instruction, the program will execute the code to which the new IP
points. It might call another routine or skip code that performs
security checks. I will not go through the gory details here, but this
isn't an unlikely scenario.
Some famous break-ins are based on exploiting such buffer overflows.
One well-documented example is the Red Hat 4.2 suiperl bug, which
resulted from using the function sprintf() (see
http://www.ryanspc.com/exploits/perl.txt for further information).
What can you do to avert buffer overflows? Always check the bounds of
an array before writing it to a buffer. If this is impossible (e.g.,
when the input is coming from a CGI script), then use functions that
limit the number of input characters. For instance, instead of using
scanf(), use the fgets() function, which reads characters up to a
specified limit:
int main()
{
char buff[15] = {0};
fgets(buff, sizeof(buff), stdin); /*read at most 14 chars*/
}
Additionally, the standard string functions have versions that take an
explicit size limit. Thus, instead of strcpy(), strcmp(), and sprintf
(), use strncpy(), strncmp(), and snprint(), respectively.